Activity Feed
- Got Karma for Re: ForwardedEvents ingestion broken after update to 9.1. 11-02-2023 07:39 AM
- Posted Re: ForwardedEvents ingestion broken after update to 9.1 on Getting Data In. 10-31-2023 07:34 AM
- Karma ForwardedEvents ingestion broken after update to 9.1 for PickleRick. 10-31-2023 07:34 AM
- Got Karma for Re: how to configure Mcafee Epo to send data to Splunk. 11-18-2022 01:29 AM
- Karma GOTCHA: Upgraded Memory with systemd? Read This! for nickhills. 05-24-2022 12:47 AM
- Posted Re: how to configure Mcafee Epo to send data to Splunk on Getting Data In. 06-17-2021 08:49 AM
- Karma Re: CMMaster - Unable to send scheduled jobs for sramiz. 01-25-2021 02:03 AM
- Posted Re: how to configure Mcafee Epo to send data to Splunk on Getting Data In. 01-06-2021 05:33 AM
- Karma Re: Mouse hover tooltip on inputs for vnravikumar. 06-05-2020 12:50 AM
- Karma Re: Custom Alert Action ui validation for empty values for harsmarvania57. 06-05-2020 12:49 AM
- Karma Re: Splunk sub-processes start/stop every minute (splunk-admon, splunk-powershell, etc). How do we prevent this? for jtacy. 06-05-2020 12:48 AM
- Karma Re: E-mail alerts stopped working since 6.6 upgrade for some users for mafisher_splunk. 06-05-2020 12:48 AM
- Got Karma for Re: Why am I seeing strange characters for Windows event log fields?. 06-05-2020 12:48 AM
- Karma Re: Splunk DB Connect - unable to specify to_date in the rising column for ziegfried. 06-05-2020 12:46 AM
- Karma Re: SA-ldapsearch - NameError: name 'JAVA_HOME' is not defined for linu1988. 06-05-2020 12:46 AM
- Karma Re: SA-ldapsearch - NameError: name 'JAVA_HOME' is not defined for krugger. 06-05-2020 12:46 AM
- Karma Re: Evaluating form field if not null? for tugnet. 06-05-2020 12:45 AM
- Posted Re: Why is the CIDR search on accelerated data failing? on Splunk Search. 05-12-2020 02:25 AM
- Posted Re: Applocker logs through WEC, sid translation for renderXml on Dashboards & Visualizations. 11-10-2016 03:57 AM
- Posted Re: Why am I seeing strange characters for Windows event log fields? on Getting Data In. 05-13-2016 05:19 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
10-31-2023
07:34 AM
1 Karma
It's actually worse. Splunk doesn't allow you to set the wec_event_format to RenderedText if the channel name doesn't start with ForwardedEvents. 10-20-2023 12:49:20.893 +0200 ERROR ExecProcessor [6396 ExecProcessorSchedulerThread] - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" WinEventCommonChannel - WinEventLogChannelBase::enumLocalWECSubscriptions: subscription:'Applocker' - Invalid WEC destination channel ACME-WEC-Workstations/Applocker for content format RenderedText. RenderedText format is supported only on ForwardedEvents or custom channels named ForwardedEvents-1, ForwardedEvents-2, etc.Consider creating custom channels as the destination log, or change the content format of the subscription to "Events". See the description for the 'wec_event_format' setting at $SPLUNK_HOME/etc/system/README/inputs.conf.spec for more details. Also you can't set wec_event_format as 'Events' for ForwardedEvents channel and forget about having mixed events in the same channel. It's amazing how such a breaking change was introduced under the carpet.
... View more
06-17-2021
08:49 AM
You can test with openssl if a particular cipher works. In your case, the following command can be run on the Splunk server to test if your input can negotiate cipher "AES256-GCM-SHA384" : openssl s_client -cipher "AES256-GCM-SHA384" -connect localhost:1506
... View more
01-06-2021
05:33 AM
1 Karma
I have managed to connect McAfee ePO with Splunk using syslog-tls. The key setting is the cipherSuite in inputs.conf, where I have added AES256-GCM-SHA384 cipher so that ePO and Splunk can talk together. See below an example extract: [tcp-ssl://6514]
index = mcafee_epo
sourcetype = mcafee:epo:syslog
source = mcafee:epo:syslog
[SSL]
serverCert = /opt/splunk/etc/path/to/your/certificate_and_key.pem
sslPassword = your_private_key_password
# AES256-GCM-SHA384 suite has been added to support McAfee ePO
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES256-GCM-SHA384 Note: The default cipherSuite for inputs differs between Splunk versions. To obtain yours, you can run the command below: ./splunk btool inputs list --debug | grep cipher
... View more
05-12-2020
02:25 AM
For me CIDR filters on Splunk 7.3.3 fail. For example the query below should list only destinations which are IP's:
| tstats values(Web.dest) as dest from datamodel=Web where Web.dest="0.0.0.0/0"
However it just lists all kind of values.
... View more
11-10-2016
03:57 AM
For the %11 issue, change your regional settings to English (United States).
I personally use renderXml but couldn't find anything regarding SID translation. I guess the SID matching is hardcoded in the application and it's not able to match in the applocker logs due to the difference in how the SID is presented there.
... View more
05-13-2016
05:19 AM
1 Karma
I had exactly the same issue. To resolve, change the content format of your subscription from Rendered Text to Events:
wecutil ss "subscription name" /cf:Events
... View more
07-10-2013
05:06 AM
Well I figured out the problem. In my case it is returning the displayName as a multivalue field, the first value being empty and the second value containing what I expect. I added the following to my search:
...|eval displayName=mvindex(displayName,-1)|...
I don't know though why ldapfilter returns a multivalue field.
... View more
07-08-2013
03:15 AM
I am doing the following search on Splunk 4.3.6 search head:
sourcetype="WinEventLog:Security" EventCode=5136 Class=groupPolicyContainer | eval DN=replace(DN,"}","},") | ldapfilter domain=$Account_Domain$ search="(distinguishedName=$DN$)" attrs=displayName
The idea is to get the display name of the modified GPO. The search produces the expected results. However, when I try to pipe the result to a table like this:
| table Account_Name,displayName
the displayName column is empty.
What am I doing wrong?
Thanks.
... View more
- Tags:
- sa-ldapsearch
07-05-2013
04:15 AM
Thanks, I couldn't figure out, why it didn't take my JAVA_HOME, but anyway I created the necessary reg keys in HKLM:SOFTWARE\JavaSoft\Java Runtime Environment. It's working now.
... View more
07-05-2013
04:10 AM
Thanks for your support, I took a look at the python files and I saw, that it actually searches the windows registry for JAVA_HOME, so I created the necessary entries in HKLM:SOFTWARE\JavaSoft\Java Runtime Environment. Now it works.
... View more
07-05-2013
03:28 AM
You can pipe two rex statements if you prefer:
| rex field=your_field "(? your regex)" | rex field=new_field "(? your regex)"
... View more
07-05-2013
03:09 AM
Thanks, the issue is, that for security reasons I don't want to install the jdk-7u25-windows-x64.exe but would like to use the server version here: http://www.oracle.com/technetwork/java/javase/downloads/server-jre7-downloads-1931105.html
... View more
07-05-2013
01:40 AM
It's the Server JRE version, it's a Win-x64 tar.gz, which I just extracted to c:\program files\jdk1.7.0_25.
I tried your suggestion with removing the JAVA_HOME and do the set, but still the issue remains. Are there any logs, I can take a look at, to see what's wrong?
... View more
07-05-2013
01:09 AM
In props.conf define an EXTRACT to create your field.
EXTRACT-statement = (?P your regex)
Then in transforms.conf use the SOURCE_KEY to do another regex match on that particular field.
SOURCE_KEY = your_field
REGEX = ...
FORMAT = result_field::$1 result_field2::$2
... View more
07-05-2013
12:44 AM
I did, still doesn't work.
... View more
07-05-2013
12:43 AM
It didn't work.
Anyway when I type set in cmd I see the JAVA_HOME variable defined.
... View more
07-04-2013
03:18 PM
I am trying to install SA-ldapsearch on my Win2008R2 search head. I installed the Server JRE and then defined JAVA_HOME=C:\Program Files\jdk1.7.0_25 and added C:\Program Files\jdk1.7.0_25\bin to the path. I restarted Splunk, but still when I try to use any of the ldap searches I get the following error: NameError: name 'JAVA_HOME' is not defined.
Anyone has an idea what's wrong?
... View more
06-20-2013
10:12 AM
Indeed to_date is a Oracle function. I am connecting to MS SQL server, so I wonder if I need to do a conversion of the rising column, which is a date one. Splunk documentation says:
When your rising column is a date, make sure you wrap the checkpoint parameter in a to_date, such as: {{AND $rising_column$ > to_date(?,'YYYY-MM-DD"T"HH:MI:SS')}}. The format you use must be the same as the format that you selected.
But this example is for Oracle.
Anyway I removed the to_date statement and things seem to work.
... View more
06-20-2013
10:04 AM
You are right, I was mistaken into thinking, that to_date was a splunk function, while actually it is a Oracle db function. I think this needs to be clarified on the DB Connect documentation.
... View more
06-20-2013
07:56 AM
I have configured a database input with a query that finishes with the following code:
Where TimeStamp > '2013-06-20 15:00:00.000' {{ AND $rising_column$ > to_date(?,'YYYY-MM-DD"T"HH:MI:SS.MS')}}
Unfortunately I am getting the following error in dbx.log:
2013-06-20 16:37:44.302 dbx1599:ERROR:TailDatabaseMonitor - Error while executing database monitor: java.sql.SQLException: 'to_date' is not a recognized built-in function name.
java.sql.SQLException: 'to_date' is not a recognized built-in function name.
at net.sourceforge.jtds.jdbc.SQLDiagnostic.addDiagnostic(SQLDiagnostic.java:372)
at net.sourceforge.jtds.jdbc.TdsCore.tdsErrorToken(TdsCore.java:2820)
at net.sourceforge.jtds.jdbc.TdsCore.nextToken(TdsCore.java:2258)
at net.sourceforge.jtds.jdbc.TdsCore.getMoreResults(TdsCore.java:632)
at net.sourceforge.jtds.jdbc.JtdsStatement.executeSQLQuery(JtdsStatement.java:477)
at net.sourceforge.jtds.jdbc.JtdsPreparedStatement.executeQuery(JtdsPreparedStatement.java:776)
at com.splunk.dbx.sql.Database.query(Database.java:203)
at com.splunk.dbx.monitor.impl.TailDatabaseMonitor.performMonitoring(TailDatabaseMonitor.java:113)
at com.splunk.dbx.monitor.DatabaseMonitorExecutor.executeMonitor(DatabaseMonitorExecutor.java:126)
at com.splunk.dbx.monitor.DatabaseMonitorExecutor.call(DatabaseMonitorExecutor.java:102)
at com.splunk.dbx.monitor.DatabaseMonitorExecutor.call(DatabaseMonitorExecutor.java:37)
at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334)
at java.util.concurrent.FutureTask.run(FutureTask.java:166)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334)
at java.util.concurrent.FutureTask.run(FutureTask.java:166)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334)
at java.util.concurrent.FutureTask.run(FutureTask.java:166)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:724)
What am I doing wrong?
Thanks,
Alex
... View more
- Tags:
- Splunk DB Connect 1
